A primary concern for companies moving to the cloud is whether or not their workloads will remain secure. While that debate still happens, AWS has made great strides to assuage customer’s concerns by adding services to ensure workloads are well protected. At re:Invent 2018 another service named AWS Security Hub was added. Security Hub allows you to setup some basic security guardrails and get compliance information for multiple accounts within a single service. Amazon seems to have realized that enabling customers to very easily see their security recommendations for all environments in a single place has great value to their businesses.
Setup AWS Security Hub for Multiple Accounts
To setup AWS Security Hub, we first have to pick an account where our portal will live. Login to your AWS account of choice and navigate to “Security Hub” in the AWS console. Once you’ve logged in, you’ll need to enable the security hub service by clicking the button on the splash screen.
Once you click that button, you’ll be asked again to add Security Hub which will update some policies to give AWS permission to aggregate findings and read information from your accounts.
Once enabled, you’ll see a summary screen with some very uninteresting information on it at this point. To make Security Hub work really well, you’ll need to enable some things which will then be aggregated into the Security Hub console. To begin, we’ll enable the CIS Benchmarks which are a good baseline for how your cloud should be protected. Now, the important thing here is that CIS benchmarks are going to use AWS Config rules to ensure that specific cloud security metrics are monitored. Before you enable CIS Standards on the standards menu, be sure to enable AWS Config in the account you’re monitoring. This can be done via CloudFormation or through the console but be sure to enable AWS Config to record events for the region and globally.
Once Config has been enabled, it’s OK to enable the CIS Standards from the standards menu.
Once the CIS Standards have been enabled, a series of AWS Config Rules will be deployed. These might take a few minutes to show any data, but do note that these config rules cost $2 per account per region to use. Once Config has evaluated the rules you should see some data in the AWS Config console if you look at that service. You can see from my screenshot below that there are AWS Config Rules with a prefix of “securityhub” listed in my compliance rules list. You’ll also notice that I have some noncompliant resources, which were intentionally left noncompliant for demonstration purposes 😉 .
If we look back in Security Hub the Summary screen will now start showing some useful data about our compliance metrics.
We’ll also see that these benchmarks now show up in my security hub findings with a status of either FAILED or PASSED. It also shows the CIS benchmark title for which benchmark has been missed if any of them are failed.
There are also additional providers that can be added to the Security Hub to make it more extensible. Out of the box there are three more services that AWS will aggregate in your findings list which are:
You can set those three services up in your AWS Account to have their findings aggregated within the Security Hub service console. There are also third party services that can be added to the console and this can be done by going into the “Settings” menu and enabling them from the providers screen. This makes Security Hub a “single pane of glass” for aggregating your compliance and security findings.
Add Additional Accounts
So far we’ve done all the configuration within a single account, but what if we’ve designed our AWS environments with multiple accounts for billing or security reasons? Not a problem, we can go back into the settings of our Security Hub console and we can invite other accounts. To do this go to the Accounts tab and invite another account. When you invite another account nothing will happen until the member accounts accept the invitation.
To accept, we’ll login to the member account and go into the Security Hub console just as we did with our master account. Then under settings, we’ll see an invitation from the master. Click the Accept slider button to accept the invitation. Once this is complete, the results for the member account will be displayed in the master account’s Security Hub console. Be sure to enable config, GuardDuty, Inspector, etc on the member accounts too so that all your findings are being sent along correctly.
AWS Security Hub is a really nice to have service to bring all the individual compliance and security tools AWS offers into a single view for administrators. As of the time of this writing, the Security Hub service pricing is not available yet, but you will be charged for the services it relies on such as AWS Config and GuardDuty. If you’re setting up a production AWS environment, Security Hub should be part of your basic deployment routine.